Computer Security Procedures: Carelessness, Indifference, Poor Management or a Trifecta?

September 27, 2022

$35M Fine for Morgan Stanley after Unencrypted, Unwiped Hard Drives Are Auctioned”  raises an interesting question about security in an important company. The write up asserts:

The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an “extensive failure” over a five-year period to safeguard customers’ data as required by federal regulations. The agency said that the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers in local branches. In all, the SEC said data for 15 million customers was exposed.

Morgan Stanley. Outstanding. If the story is accurate, the auctioning of the drives fits with the parsimonious nature of banks in my experience. Banks like to accept money; banks do not like to output money. Therefore, selling old stuff is a matter of removing the detritus, notifying the person charged with moving surplus to a vendor, and cashing the check for the end of life, zero life clutter. Standard operating procedure? Probably. Does senior management know about hardware security for old gear? My hunch is that most senior managers know about [a] cross selling, [b] sparking deals, [c] getting on a talking head financial news show, and [d] getting the biggest bonus possible. Security is well down my hypothetical list.

Net net: Security is easy to talk about. Security requires management know how and attention to business processes, not just deals and bonus payments.

Stephen E Arnold, September 27, 2022

Comments

Got something to say?





  • Archives

  • Recent Posts

  • Meta